Revise cookie 'secure flag' enable condition

The localhost is 'potentially trustworthy' and RFC 6265 allows setting secure flag in this case. Also check `X-Forwarded-Proto` header value to support reverse proxy usage. Note: for reverse proxy users, now the `X-Forwarded-Proto` header is expected to be sent to qbt otherwise the `secure` flag might be set erroneously. https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.2.5 https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy Closes #21250. PR #21260.
2026-01-02 05:38:06 -06:00 · 2024-09-07 21:38:27 +08:00
parent d9bc7935eb
commit 130c0d8487
6 changed files with 27 additions and 6 deletions
--- a/src/webui/www/private/views/preferences.html
+++ b/src/webui/www/private/views/preferences.html
@@ -988,7 +988,7 @@
            </div>
            <div class="formRow">
                <input type="checkbox" id="secureCookieCheckbox">
-                <label for="secureCookieCheckbox">QBT_TR(Enable cookie Secure flag (requires HTTPS))QBT_TR[CONTEXT=OptionsDialog]</label>
+                <label for="secureCookieCheckbox">QBT_TR(Enable cookie Secure flag (requires HTTPS or localhost connection))QBT_TR[CONTEXT=OptionsDialog]</label>
            </div>

            <fieldset class="settings">
@@ -1965,7 +1965,6 @@ Use ';' to split multiple entries. Can use wildcard '*'.)QBT_TR[CONTEXT=OptionsD
            const isUseHttpsEnabled = $("use_https_checkbox").checked;
            $("ssl_cert_text").disabled = !isUseHttpsEnabled;
            $("ssl_key_text").disabled = !isUseHttpsEnabled;
-            $("secureCookieCheckbox").disabled = !isUseHttpsEnabled;
        };

        const updateBypasssAuthSettings = function() {